Chartered Accountant and Fintech Specialist
Share this content

Clubhouse security called into question

While Clubhouse’s popularity continues to increase, its time in the spotlight has put the platform under scrutiny. In part two of Clubhouse for accountants, Nick Levine investigates recent concerns surrounding the private social media app.

15th Mar 2021
Chartered Accountant and Fintech Specialist
Share this content

As of February, the Clubhouse app had been downloaded 10 million times, so it was unsurprising when the platform’s security began suffering under the spotlight over the last few weeks.

As the app is only available on iOS, third-party developers have reverse-engineered Clubhouse to create unofficial versions on Android and Windows to allow non-iPhone users to listen in on Clubhouse room conversations.

The ease at which these apps have been able to access and reuse Clubhouse’s original code, and then broadcast content from the code, has raised alarm bells over its security. This has also raised more comprehensive questions about its use of data from users and GDPR compliance. 

App clones and audio leakage

The plethora of unofficial apps (such a Hipster House and Open Clubhouse) which play back audio from the original platform were created to cater to the demands of individuals who want to consume Clubhouse content but are unable to do so, either due to not being iPhone users or due to the restrictions on room capacity. 

Clubhouse rooms are limited to 5,000 participants, and virtual supply easily outstripped demand when Elon Musk hosted a conversation with Vlad Tened, CEO of commission-free investing app Robinhood in January.

Alongside the use of unofficial apps, Clubhouse conversations were streamed live on YouTube a clear breach of Clubhouse’s terms. The publicity created more demand for the platform, highlighting issues relating to its data usage and security.

While Clubhouse insists that “recording or streaming without the explicit permission of speakers is against the Clubhouse terms of service,” new unofficial apps are still popping up all the time.

The audio leakage is made possible by a security flaw in Clubhouse’s backend, caused by users being able to use Agora’s (real-time voice engagement software which powers the app) API to stream audio without using the Clubhouse app.

Additionally, Agora is based in Shanghai and the USA, and the Stanford Cyber Policy Center believes that the company “would likely have access to users’ raw audio, potentially providing access to the Chinese government.”

Given that Clubhouse is banned in China, it is possible that the state would want to monitor conversations from their citizens. However, Stanford researchers also point out that the Chinese authorities would most likely only access temporarily recorded Clubhouse conversations (for legitimate reasons related to terrorism or hate crime) if the audio is stored in the US.

Data security and privacy 

Alongside data leakage, there are also worries over Clubhouse’s security, particularly with regards to GDPR. This consists of the app's underlying design, alongside a failure not to comply with basic security protocols.

Unlike most other social media platforms, users are not required to confirm their age or true identity when first signing up to the app. Users are also actively encouraged to share their contacts to invite them to join as there is no other way of doing so. This creates the risk of accidentally inviting an ex-partner or former client if their details are stored on users phones. The latter would be particularly embarrassing if the relationship with the former associate did not end amicably. 

This sharing contacts feature fails the GDPR “privacy by design” policy, requiring companies to make the sharing of data opt-in by default. While Clubhouse’s privacy policy claims “express consent” must be granted to share contacts, the app prompts users to do this regularly, and the only way to invite other users to the platform is by sharing your address book. 

Clubhouse also falls foul of GDPR by not implementing end to end encryption (E2EE). This requires social media platforms to encrypt data to safeguard users' communications so that they cannot be intercepted without all parties' consent. In addition to this clearly not being the case from issues related to data leakage, Clubhouse’s privacy policy also states, “if a user reports a Trust and Safety violation while the room is active, we retain the audio for the purposes of investigating the event.”

Exercise caution

Clubhouse has responded to news stories about audio leaks by permanently banning offending users and installing new safeguards to try and prevent this from happening again. They have also recently hired an Android developer to create an app for Google’s mobile operating system. 

However, as the app’s privacy and security fail on several counts, it is unlikely that these issues will soon be resolved.

ICAEW’s Tech Faculty technical manager Kirstin Gillon believes users should use Clubhouse cautiously to ensure sensitive data is not misappropriated. “We should always be mindful of what we share on social media, especially apps that are public or semi-public,” commented Gillon. 

“Cybercriminals often make use of such data to hone phishing or social engineering attacks, so there are risks about sharing even innocuous information.”

Gillon also believes a particular challenge for Clubhouse is its spike in popularity has come very early in its lifecycle. As a result, she thinks it may not have “mature controls and data policies that you would expect to see in a more established company.” 

She advises early adopters to read the platform’s terms and conditions carefully and be cautious about requests relating to personal data collection.

Replies (2)

Please login or register to join the discussion.

By TaxTeddy
16th Mar 2021 09:05

Another app I have never even heard of. I must be getting old.

And 'Hipster House.....? Come on.

Thanks (1)
By Mr J Andrews
18th Mar 2021 11:09

Before reading the article , I though from the header that an alsatian guard dog might be the answer. But I must be older than Tax Teddy. Somehow I don't think I've missed out by not being on of the 10 million or so downloaders.

Thanks (0)